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ABSTRACT 

Tile inspection and repair activities have implicit 
hazards associated with them. When an Extra Vehicular 
Activities (EVA) crewmember and associated hardware 
are added into the equation, additional hazards are 
introduced. Potential hazards to the Extravehicular 
Mobility Unit (EMU), the Orbiter or the crew member 
themselves are created. In order to accurately assess the 
risk of performing a TPS inspection or repair, an 
accurate evaluation of potential hazards and how 
adequately these hazards are controlled is essential. 

The EMU could become damaged due to sharp edges, 
protrusions, thermal extremes, molten metal or impact 
with the Orbiter. Tools, tethers and the presence of a 
crew member in the vicinity of the Orbiter Thermal 
Protection System (TPS) pose hazards to the Orbiter. 
Hazards such as additional tile or Reinforced Carbon- 
Carbon (RCC) damage from a loose tool, safety tethers, 
crewmember or arm impact are introduced. 
Additionally, there are hazards to the crew which should 
be addressed. Crew hazards include laser injury, 
electrical shock, inability to return to the airlock for 
EMU failures or Orbiter rapid safing scenarios, as well 
as the potential inadvertent release of a crew member 
from the arm/boom. 

The aforementioned hazards are controlled in various 
ways. Generally, these controls are addressed 
operationally versus by design, as the majority of the 
interfaces are to the Orbiter and the Orbiter design did 
not originally account for tile repair. The Shuttle 
Remote Manipulator System (SRMS), for instance, was 
originally designed to deploy experiments, and therefore 
has insufficient design controls for retention of the 
Orbiter Boom Sensor System (OBSS). 

Although multiple methods to repair the Orbiter TPS 
exist, the majority of the hazards are applicable no 
matter which specific repair method is being performed. 
TPS Inspection performed via EVA also presents some 
of the same hazards. Therefore, the hazards common to 
all TPS inspection or repair methods will be addressed. 

1. TPS Inspection and Repair Methods 
1.1. Inspection 


Nominally, on-orbit inspection of Orbiter TPS is 
performed by the Laser Dynamic Range Imager (LDRI), 
the Laser Camera System (LCS), and the Intensified 
Television Camera (ITVC). All of these sensors are 
located on the end of the OBSS, which is a 50-foot long 
boom that may be grasped and moved by the Orbiter’ s 
Shuttle Remote Manipulator System (SRMS) (robot 
arm), and does not normally involve EVA crew. 
However, should a failure occur, or the Mission 
Management Team (MMT) decide it is necessary, an 
EVA crewmember may be sent to perform a visual 
inspection or take digital images for a photogrammetry 
assessment. 

Depending on the location of the potential damage site, 
the EVA crew may be on the end of the SRMS or may 
have to ingress an articulating portable foot restraint on 
the end of the OBSS. Potential scenarios of EVA 
inspection include up to 3 inspections of specific 
potential damage sites, or a complete 
visual/photographic examination of the Orbiter wing- 
leading edge. Either scenario involves similar initial 
tasks of setting up for ingress into the articulating 
portable foot restraint (APFR) on the RMS or the 
OBSS. The robotic arms are used to manuever the crew 
to the locations necessary for taking digital photographs. 
After photography is complete, the crew is manuevered 
back to the payload bay sill for egress from the APFR 
and clean-up for return to the airlock. Normally, for 
TPS inspection, the EVA crew is at least five feet away 
from the TPS, generally more than ten feet. These EVA 
tasks can take as little as 4 hours for a single inspection 
point, or 7 hours if the entire wing-leading edge of the 
Orbiter is being inspected EVA. 



Figure 1. SRMS/OBSS on STS-114 



1.2. Repair 

TPS repair options are only achievable EVA. TPS 
repair options include use of the shuttle tile ablator-54 
(STA-54) material, emittance wash, or tile overlay 
system for tile repair, and either non-oxide adhesive 
experimental (NOAX) material or an RCC plug for 
RCC repair. Any of these options involve the use of 
specialized EVA tools (see Figure 2 and 3), as well as 
proximity to the Orbiter TPS. 



Figure 2. Example RCC repair tools[l] 
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Figure 3. Emmittance Wash Applieator[l] 


Also, all repair options involve tasks that are estimated 
to last at least six hours. If the location of the repair is 
far enough back on the bottom of the Orbiter, then the 
use of the OBSS is required for the EVA crew to 
perform a repair. If the OBSS is not required, then the 
SRMS or the Space Station Remote Manipulator 
System (SSRMS) may be used as a worksite platform. 
Use of the SSRMS is obviously only possible while the 
Orbiter is docked to the ISS. So, for repair options as 
well as for EVA Inspection, the EVA worksite platform 
will be either the OBSS or one of the robotic arms. 


During flight STS-114, the EVA crew performed a 
removal of a TPS gap-filler. The location of the gap- 
filler was far enough forward on the Orbiter that the 
SSRMS was used as the EVA worksite platform for this 
operation. A detailed test objective (DTO) was 
performed during EVA 1 for STS- 121 to determine the 
flexibility of the OBSS under EVA loading conditions. 
As a result of these two EVA tasks, the generic EVA 
hazards associated with TPS Inspection and Repair have 
been assessed and controls have been identified by the 
Shuttle and Station programs. 


2. EMU Hazards 

The most common EVA hazards are those applicable to 
the EMU. Because the suit can be considered an 
independent space vehicle, which provides life support 
to the crewmember, damage to the suit can be life- 
threatening. 

2.1. Sharp Edges 

One of the most common EVA hazards is puncture of 
the suit due to sharp edges, burrs, corners, etc. While 
the EMU has a secondary oxygen supply in the case of a 
leak, that supply is designed based on a very small 
puncture size. Therefore, any puncture to the suit 
greater than a quarter inch would result in a loss of 
crew. Even a pin-hole puncture will result in the return 
of the crew to the habitable environment, with 
subsequent loss of the EVA task. Therefore, it is 
important to assess the EVA worksite and tools 
involved in the TPS Inspection/Repair task to ensure all 
potential sharp edges are adequately controlled. 

Most of the hardware utilized in an EVA Inspection or 
TPS repair has been assessed and verified to not be a 
puncture hazard. Unfortunately, due to design 
constraints, some hardware was identified with sharp 
edges. Examples of such hardware are the LDRI baffle, 
the electrical flight-releasable grapple fixture (EFGF) 
grapple release, and the Integrated Boom Assembly 
(IBA) grapple fixture cam arms. 

In the case of the LDRI baffle, the small ledges at the 
sensor aperture area do no meet the requirements of 
rounding to prevent a sharp edge hazard. The crew is 
trained to know where this area is, and avoid touching 
this area with the EMU glove. The area of concern is 
too small for anything other than a gloved finger to 
access. The crew also has a warning in the procedures 
to avoid contact with the baffle. 

Neither the EFGF grapple fixture, nor the cam arms are 
contacted nominally by the EVA crew during an 
Inspection or Repair. The crew is cautioned about the 
areas during TPS training to avoid these areas. The 



crew is also cautioned during training about some 
hardware that is a concern for use in other EVA tasks 
that they may be exposed to during an inspection or 
repair EVA. These include SRMS joint hard stops, 
electrical connectors, and the inside of the worksite 
interface fixture (WIF). In all cases, the program has 
accepted the risk of sharp edges with the assurance of 
the crew and the operations personnel that these items 
are avoidable during EVA operations. 

In addition, RCC and tile were assessed to see if either 
were a sharp edge hazard. The assessment performed 
identified damaged RCC and tile as the most likely to be 
a sharp edge hazard. While the tile and RCC did not 
meet rounding requirements, the analysis and test 
performed showed that the damaged RCC and tile 
would break or compress prior to damaging the EMU. 

2.2. Touch Temperature 

In the EVA environment, thermal extremes are a 
primary consideration. Contact by an EVA 
crewmember with any external hardware that exceeds 
the touch temperature limits could result in damage to 
the suit and injury or even loss of crew. For hot 
surfaces, the pain threshold is usually reached prior to 
any physical injury to the crew. Cold extremes are 
more difficult to control operationally since the crew’s 
hands and feet become numb prior to damage from 
frostbite or other cold-related injuries. In fact, at least 
one crewmember has suffered frostbite due to holding 
onto cold hardware too long. 

All repair and inspection tools were thermally assessed 
to determine its use created a hazardous thermal 
extreme. In all cases, either the tools stayed within the 
allowed -80°F to +150°F (-63°C to 65°C) range for 
continuous contact, or were analyzed further. Further 
analysis confirmed that these tools had the correct 
thermal properties to stay within allowable limits for the 
time necessary to perform the tasks with the use of EVA 
glove heaters. Additionally, thermal analysis was 
performed to ensure that EMU glove contact with the 
tile and RCC panels would not result in a hazard. These 
analyses resulted in a warning to the crew to avoid 
prolonged contact with the RCC panels, as such contact 
will exceed the glove design limits in certain thermal 
profiles and cause critical damage. 

2.3. Molten Metal 

The OBSS is designed to be able to receive power from 
the Orbiter both when docked in the payload bay and 
when attached to the SRMS. This power is used both to 
run the sensors at the end of the OBSS, and to keep 
heater power to the sensors on the end of the OBSS. 
Therefore it has electrical connectors in two locations 
on the OBSS. When docked in the payload bay, the 


connector for attachment to the SRMS (EFGF 
connector) is exposed. When connected to the SRMS, 
the connector for attachment to the Orbiter, referred to 
as the Manipulator positioning mechanism 
(MPM)/OBSS saddle contacts, will be exposed. Neither 
connector was designed to be covered when not in use. 
As it is unknown until the location of the damage is 
determined which EVA worksite platform will be used, 
both exposed connectors must be considered for the 
potential of molten metal generation. Additionally, 
there are some connectors in the payload bay used for 
power to payloads that should be considered, although 
these are mission specific potential hazards. Any 
exposed connector with the potential for fault current 
over 3Amps is a potential generator of molten metal, if 
a tool comes into contact with a powered pin and a 
return pin or ground. Considering the 100% oxygen 
environment inside the EMU, molten metal is a 
catastrophic hazard. 

The MPM/OBSS saddle contacts leaves both sides 
exposed if the OBSS is attached to the SRMS. Both the 
connector contacts on the OBSS (OBSS Saddle 
contacts) and the connector contacts on the MPM 
(MPM saddle contacts) are exposed. Although the 
voltage provided by the MPM is less than 32V, the fault 
current is well over 3 Amps, and as such is definitely a 
concern for molten metal generation. Ideally, for a 
catastrophic hazard potential, two-fault tolerance would 
be in place. Due to the fact that the OBSS is cannot 
receive power from that circuit when unberthed from 
the MPM, the power to the MPM saddle contacts are 
removed. It would take two faults to provide power to 
the MPM contacts, followed by conductive material 
contacting the power and return contacts, for molten 
metal to be generated. Since the MPM has been 
identified as a no contact area due to concerns with 
damaging the hardware, the crew will already be 
avoiding this area, and will therefore have even less of 
likelihood that tools will be able to reach the slightly 
recessed contacts. 

The OBSS saddle contacts are exposed as well, and are 
also fairly close to the location at which the crew 
installs their safety tether. The concern is that a fault 
will occur, resulting in power flowing backwards to the 
nominal flow. Fortunately, the OBSS has been 
designed with protective circuitry which restricts the 
potential reverse current to much less than 3 amps with 
one failure. This would mean that after two failures, an 
off-nominal event of a metallic object touching the 
contacts would have to occur for the hazard to result. 
This risk was deemed acceptable considering the 
contacts are flat, not proud, and that the chance of 
generation of molten metal decreases with the surface 
area contacted. 



Should the EVA worksite platform be the SRMS, the 
OBSS may be berthed in the MPMs in the payload bay. 
In this case, the potential for molten metal generation 
due to the exposed EFGF connector should be assessed. 
The EVA crew may be able to avoid coming closer than 
3 feet to the connector, in which case the EVA tools 
would stay far enough away not to contact the EFGF 
pins. The area of concern for contact is also not very 
large, decreasing the risk of contact. Should the EVA 
crew need to translate nearer than 3 feet to the 
connector, the OBSS sensors can withstand at least the 
fifteen minutes of no heater power necessary to remove 
power from the OBSS, removing the chance of reverse 
current through the EFGF connector due to metal 
contacting a power pin and a return pin or ground. 



Figure 4. SRMS/OBSS Ingress position[2] 


Additionally, there are connectors in the shuttle payload 
bay that are used to power hardware that is transported 
in the payload bay and needs to remain thermally 
conditioned. If that hardware is removed from the 
payload bay prior to the inspection or repair EVA, then 
the connector may be exposed. Due to the design of the 
power lines in the Orbiter payload bay, it is possible to 
have a connector on the same circuit as that powering 
the OBSS sensors heaters. During the STS-121 DTO, 
the Remotely Operated Electrical Umbilical (ROEU) 
connector was exposed during the EVA. For nominal 
operations, the ROEU has less than 32V on some pins, 
and one inhibit to providing more than twice that to 
other pins. The potential fault current in both cases is 
over the 3Amp minimum necessary for molten metal 
generation. Unfortunately, the ROEU connector was on 
the same circuit as the LCS heater power. The crew 
also had to come closer than one foot to this connector 
for set-up of the APFR onto the OBSS. Therefore, a 
thermal analysis was performed to ascertain if the time 
needed to set-up the APFR caused the LCS to cool 
below thermally acceptable limits. Since that analysis 
was favourable, the ROEU and LCS circuits were 
inhibited, with three separate electrical inhibits, during 


that EVA operation. Inhibits in this case are defined as 
a break in the circuitry, such as a circuit breaker or 
switch. Should the need arise for performing an 
inspection or repair on a future flight with an exposed 
ROEU connector, a flight specific analysis would have 
to be performed to ensure the LCS thermal profile still 
allowed sufficient time for OBSS set-up to be 
performed. 

Due to the fact that three inhibits are not in place for all 
the potential causes of molten metal generation, the 
program has identified this as an accepted risk. 
However, with the necessity of contacting a small 
surface area for the hazard to exist, this risk is 
considered remote. 

2.4. EMU Contamination 

The EMU material may be contaminated by hazardous 
materials, resulting in loss of pressure barrier, changes 
in thermal emittance properties, or visor occlusion. The 
sources of contamination assessed for TPS inspection 
and repair are damaged tile and RCC, and repair 
materials. 

The tile, RCC, and repair materials were assessed to 
verify materials compatibility with the EMU. The tile 
and RCC were assessed as not being a hazard to the 
EMU surfaces. NOAX impacts the glove thermal 
properties, but only to the extent of effecting the 
emittance properties of the glove, making the gloves 
less able to handle high temperature environments. 
NOAX, STA-54, and Emittance Wash may occlude the 
visor, however cleaning procedures have been 
established to preclude long-term damage of the visor. 
Prior to return to the habitable environment, the crew 
would have to confirm that no material is being 
returned. 

3. Crew Hazards 

Next, hazards to the crew themselves should be 
examined. These hazards may be affected by hazards to 
the EMU, or may be completely unrelated. 

3.1. Electrical shock 

In the case of electrical shock, the causes of potential 
electrical shock during EVA TPS Inspection and repair 
are already identified as molten metal concerns. Any 
potential molten metal concern is also an electrical 
shock hazard if the potential voltage is greater than 32V. 
In the case of the MPM saddle contacts and the OBSS 
saddle contacts, the voltage is never greater than 28V 
and is therefore not a concern for electrical shock. In 
the case of the ROEU connector, there is potential for 
voltage significantly greater than 32V and is therefore a 
potential electrical shock hazard. However, to control 
for molten metal, it was already determined that power 




would be inhibited to the ROEU connector when the 
crew was in the area, so this hazard has already been 
assessed as adequately controlled. 

3.2. Lasers 

There are two sensors at the end of the OBSS that 
expose the EVA crew to potential eye hazards, the 
aforementioned LCS and LDRI. Since both these 
sensors utilize laser radiation, they were assessed for 
potential hazard to the crew. Both the LCS and LDRI 
lasers are considered hazardous due to the ability to 
cause eye damage. In fact, both are identified as Class 
3b lasers or greater. Although it is possible that the 
LDRI and LCS will be unable to receive power other 
scenarios are possible that would leave power available 
to the sensors and still require EVA inspection or repair 
of TPS. Therefore, the assumption is that laser power is 
potentially present to harm the crew. 



Figure 5. Inspection Sensors 


The LCS has a significantly larger nominal hazard zone 
(NHZ) than the LDRI. Both the LCS and LDRI NHZ 
had initially been identified as EVA keep-out zones 
(KOZs) for EVA activities when the OBSS is attached 
to the SRMS. When the OBSS is berthed in the MPMs 
in the Orbiter payload bay, it is possible for the laser 
circuitry to receive power. However, while preparing 
for the STS-121 OBSS DTO, the EVA operations and 
training personnel identified a concern that the crew 
could not avoid these KOZs and still set-up the APFR 
and ingress the OBSS. 

When the LDRI was assessed for this concern, it was 
identified that the LDRI has software that can place the 
LDRI in a heater only mode that does not expose the 
crew to the laser hazard. Next, simulations were 
assessed using the Dynamic Ubiquitous Orbiter 
Graphics (DOUG) software to ensure that it is possible 
to point the LDRI using the pan/tilt unit on which it is 
mounted to direct the KOZ to a location the crew could 
avoid. Finally, it was determined that the ability to 
command the LDRI could be configured such that it 
required more than one crew action to either move the 
LDRI KOZ or to change to mode of the LDRI from 


heaters only to lasing. Finally, it was confirmed by the 
manufacturer of the LDRI that more than one failure 
was required to change modes as well. For any future 
EVA TPS repair or inspection, these same actions of 
pointing the LDRI, and putting it in the heaters only 
mode would have to be performed. 

For the LCS, a slightly different approach was taken. 
The LCS is not mounted on a pan tilt unit, and therefore 
the KOZ for the LCS is not as maneuverable with 
respect to the OBSS ingress location. After examining 
the LCS KOZ with the DOUG software, it was 
determined that the LCS KOPZ was only unavoidable 
during ingress and egress from the OBSS in the payload 
bay. Since the LCS and ROEU connector were on the 
same circuit for STS-121, the LCS was already being 
inhibited with three separate inhibits during OBSS 
ingress, as the location and time of concern for the 
ROEU molten metal and shock hazard was also OBSS 
ingress. It is important to note that the location of the 
LCS KOZ makes it impossible for the crewmember 
actually on the OBSS to be exposed to the laser hazard. 
Additionally, should an EVA repair or inspection task 
be necessary on a future flight, the thermal analysis 
performed to ensure no damage to the LCS hardware 
would need to be reassessed with flight specific 
information. 

3.3. Contamination from Thrusters Firings 

Due to the fact that a TPS inspection or repair EVA 
would require the crew to be outside the Orbiter payload 
bay, the EVA crew would have the potential to be near 
Orbiter thrusters, depending on the location of the 
damage. Proximity to the thrusters exposes the EVA 
crew to the potential for exposure to hydrazine, which is 
a hazardous substance. Should the damage location 
place the EVA crew in proximity to thrusters, the 
thrusters will be inhibited from firing. These inhibits 
would also be in place should the EVA crew be 
translating near the thrusters on the SRMS/OBSS. Due 
to the fact that there are only two inhibits present for 
prevention of thrusters’ firings, and failures have been 
identified which may overcome these inhibits, 
additional measure for exposure to hydrazine have been 
identified. Should the EVA crew be contaminated by 
hydrazine, it is possible to remain in the EVA 
environment and ‘bake-out’ the hydrazine. This method 
has been analyzed to require no more than 30 minutes of 
bake -out time, and can be performed with the EVA 
crew connected to airlock consumables if necessary. 

3.4. Detached Crew 

The potential of detached EVA crew must also be 
addressed in an EVA inspection or repair scenario. The 
potential causes of detached crew are a failure of the 
EVA safety tether, failure of the structure to which the 


EVA tether is attached, or the inadvertent release of the 
OBSS from the SRMS. 

The EVA safety tether is two-fault tolerant to failure of 
the hook. The EVA safety tether is also design to 
withstand the load of an EVA crewmember coming 
loose from structure at the nominal rate of translation 
with a safety factor without failing. Additionally, the 
EVA safety tether is designed with a breakaway 
function which will slow the crewmember down before 
he reaches the end of the tether, reducing the load to 
underlying structure. 

The underlying structure that the EVA safety tether is 
attached to is also designed to withstand the load of an 
EVA crewmember coming loose at a nominal 
translation rate times a safety factor. The crew is also 
trained to which structure the safety tether can be 
attached. In the case of performing an inspection or 
repair EVA off the Boom, the safety tether is attached to 
the handrail on the end of the SRMS prior to the crew 
ingressing the APFR on the mid-point or tip of the 
OBSS. 

Finally, there is the concern with inadvertent release of 
the OBSS from the SRMS. Initially, the SRMS was 
assessed as a single mechanical failure away from 
losing the OBSS. Flowever, an assessment was 
performed prior to the STS-121 DTO that confirmed the 
SRMS has a design for minimum risk mechanism that is 
equivalent to single-fault tolerance for failure. This 
assessment was performed with analyzed EVA load 
cases, which were subsequently confirmed to envelope 
the EVA load cases observed on the STS-121 DTO. In 
addition, the mission operations directorate performed 
test in the Neutral Buoyancy Lab (NBL) that confirmed 
the EVA crew could easily get out of the APFR. Should 
the OBSS be released, the crew would quickly egress 
the APFR, and use the safety tether to return to 
structure. If the safety tether were to become snarled 
with the OBSS, the EVA crew could release the safety 
tether and use the SAFER to return to structure. Due to 
the fact that the last two options for controlling these 
hazards are difficult to verify in a robust manner, this 
hazards was again considered a remote likelihood, and 
therefore classified as an accepted risk by the shuttle 
program. 

In addition to the aforementioned causes for loss of 
EVA crew, there is also the potential for inadvertent 
jettison of the SRMS with the OBSS and EVA crew 
attached. This hazard is controlled by the use of three 
inhibits. All three are verified to be in the proper 
position to prevent SRMS jettison prior to the start of 
EVA operations. 


3.5. Ability of Crew to Return 

The ability of the crew to safely return to the habitable 
volume in a contingency situation that also needs to be 
addressed. Both the EMU and the SRMS/SSRMS have 
single point failures that be considered for this question, 
as we must be able to withstand and failure and still 
return the crew safely. 

In the case of the EMU, it is possible for a single failure 
to result in a loss of cooling, or for a puncture in the suit 
to occur. This results in a need to utilize the secondary 
oxygen supply, resulting in a nominal 30 minute time 
limit for return to the habitable environment. If the 
location is far enough aft on the Orbiter belly, it is not 
possible with SRMS and translation time to reach the 
airlock in less than thirty minutes. However, 30 
minutes is the nominal time limit. In an effort to 
mitigate this risk, it was determined that EVA tasks in 
the location of risk would occur early in the EVA 
timeline, so that extra oxygen would be available in the 
primary oxygen tanks. Also, the nominal amount of 
oxygen in the secondary oxygen pack is actually lower 
than the total possible amount of oxygen. Depending 
on the time since the secondary oxygen pack was filled 
there may be additional oxygen. This would give 
additional time for the crew to return. Also, the vent 
used for cooling failures is the larger sized vent, and 
while the crew is being moved by the SRMS/OBSS, it is 
possible to sue the smaller helmet vent as the crew is 
not building up as much heat due to activity. Overall, it 
will need to be a real-time assessment based on damage 
location and the amount of oxygen in the secondary and 
primary tanks. 

The SRMS may fail in such a way that single joints may 
not move or the entire SRMS may not move. If the 
failure is only a single joint failure, the SRMS software 
and crew training ensure it is possible for the crew to 
return to structure with the remaining joints. Should all 
the SRMS joints fail, the crew is able to translate down 
the OBSS/SRMS and return to structure. More than a 
single failure would have to occur for all RMS joints to 
fail. This is also true if the EVA worksite platform is 
the SSRMS, or the SRMS without the OBSS. 


4. Orbiter Hazards 

In addition to hazards to the EMU and crew, hazards to 
the Orbiter must be considered. The likelihood and 
consequences of hazards to the Orbiter are exacerbated 
by the proximity to the Orbiter TPS necessary. 

4.1. Structural Failure of OBSS 

Structural failure of the OBSS while the EVA crew is 
attached to the OBSS would be a hazard to the crew as 
well as to the Orbiter. However, the proximity of the 



OBSS to the Orbiter TPS means that the structural 
failure of the OBSS would result in the loss of the 
Orbiter as a whole. Additionally, there is some chance 
that the structural failure of the OBSS might result in 
damage to the ISS as well. 

With the exception of kick-loads, the manufacturer of 
the OBSS has indicated that all anticipated design loads 
are within structural design limits, and positive margins 
are preserved. The EVA loads used in this analysis 
were reached by analysis, then confirmed to be 
enveloped by the STS-121 DTO observed loads. 

In the case of EVA kick-loads, the composite structure 
of the Boom did not meet the required 125 ftlb load. [3] 
Due to the nature of the composite material, the 
manufacturer was not able to completely identify how 
the Boom would fail if the inadvertent load was applied, 
only that the structural analysis confirmed 125 ft/lbs 
exceeded the allowable loads. As a result, the crew was 
trained to avoid contact with the composite structure. In 
the case of an EVA task to inspect or repair TPS from 
the Boom mid-point or tip, the operations personnel and 
crew were confident that the composite material would 
not be inadvertently contacted. As the only control for 
this hazard is an operational control, the hazard was 
identified as remote likelihood an accepted by the 
shuttle program as an accepted risk. 

4.2. Loss of control of OBSS/SRMS 

The loss of control of the SRMS/OBSS would in the 
worst case result in collision of the SRMS/OBSS with 
the Orbiter. Potentially, it could also result in collision 
between the EVA crew and the Orbiter, resulting in loss 
of crew and catastrophic damage to the Orbiter. Loss of 
control could potentially be caused by excessive EVA 
loads and flexibility of the SRMS/OBSS or by software 
failure or incorrect IVA crew commanding. 

The flexibility of the OBSS/SRMS was assessed during 
the STS-121 DTO. Prior to the DTO, the EVA crew 
were trained to minimize EVA loads into the boom by 
reacting loads during APFR installation, 
reconfiguration, ingress and egress, performing tool/bag 
reconfiguration prior to Boom ingress and avoiding 
harsh or sudden body movement while on the boom. 
These constraints remain in place for any future TPS 
EVA tasks. In addition, prior to the DTO, the crew was 
trained to only ingress the APFR at the Orbiter sill, and 
to perform real-time APFR reconfiguration at the 
Orbiter sill, as well as having the second crewmember 
hold the Orbiter sill and boom for stabilization during 
these operations. The STS-121 DTO confirmed that the 
OBSS was slightly less flexible than anticipated by 
analysis, as well as that the SRMS/OBSS were an 
acceptable platform for the majority of EVA inspection 
and repair operations. For this reason, the constraints 


regarding APFR ingress/egress away from the sill were 
deemed unnecessary. In fact, the initial expected EVA 
loads necessary to perform repair tasks were such that 
the SRMS brake slip either didn’t occur or would 
change the position of the tip of the boom less than 5 
feet in any direction. Since the tip of the Boom will 
remain further than 5 feet form the Orbiter, this 
precludes collision. 

The SRMS is designed to prevent runaway due to 
software failures at such a rate of speed that corrective 
action cannot be taken. The rate of speed of the SRMS 
is determined by how close the SRMS is to structure. 
Vernier rates, which are the slower rates, are used when 
the SRMS is close enough to structure that the crew has 
sufficient time to react and either change or stop the 
motion of the arm. In addition, these rates are slow 
enough for the EVA crew to perform avoidance 
maneuvers such as a layback, if necessary. 

Due to the fact that operational controls are necessary to 
avoid this hazard, loss of control of the SRMS was 
recognized as a remote likelihood event and accepted as 
a risk by the shuttle program. 

4.3. Loose EVA Tools 

The effects of loose EVA tools during a TPS inspection 
or repair EVA task range from possible loss of Orbiter 
from catastrophic damage to the TPS to loss of EVA 
crewmember from damage to the EMU. EVA tools 
designed to support inspection or repair are stored in 
individual caddies or are restrained in tool bags when 
not in use. When removed from these caddies or bags, 
the tools are required to be tethered at all times. These 
tethers are provided to protect against inadvertent 
release of the tools by the EVA crew. In addition, for 
repairs where several tools are necessary, one 
crewmember will be acting as a tool tender, handing off 
tools to the crewmember performing the repair, such 
that the crewmember closest to the TPS will not be 
responsible for managing the tools. 

In addition to loose EVA tools used directly for 
inspection or repair, a slack safety tether may snag or 
lash against TPS or other critical Orbiter hardware with 
resultant damage to TPS and loss of vehicle. The tether 
is designed such that it auto-retracts to maintain tension. 
The crew is trained to configure the tether properly such 
that adequate tension is maintained. 

Due to the fact that the only controls in place while the 
tools are being used are operational in nature and that 
tether operation also requires operational controls, this 
hazard is considered a remote likelihood. 



4.4. Collision of EMU with Orbiter TPS 

Collision of the EMU, particularly the helmet, could 
result in damage to the Orbiter TPS beyond that which 
was already present. The stability of the worksite 
platform, specifically the OBSS/SRMS which was 
verified during the STS-121 DTO, impacts the risk of 
this hazard occurring. Considering that the STS-121 
DTO verified that the OBSS/SRMS platform was 
sufficiently stable to handle the majority of repair and 
all inspection tasks without moving the crewmember 
more than 5 feet, the likelihood of this hazard has 
decreased. 

Prior to the STS-114 gap-filler removal, testing was 
performed to envelope the risk of damage to the TPS 
due to EMU impact. This testing only addressed tile 
impact, not RCC impact. The analysis was performed 
to test for helmet impact into tile at various “heads 
down” angles in an effort to determine the force needed 
to damage tile. At the highest force credible 
catastrophic damage to tile did not result. RCC damage 
due to helmet impact has not yet been assessed and 
would need to be addressed real-time prior to an EVA 
repair. Prior to that assessment, the assumption is that 
damage is possible and can only be controlled by 
situational awareness of the EVA crew and SRMS 
operator. As such, this is currently a remote likelihood 
hazard, and has been accepted by the program. 

5. Conclusion 

While several hazards have been identified for an EVA 
inspection or repair of TPS, these hazards have been 
documented and brought to the Shuttle and ISS 
programs. Should a real-time need for a TPS repair 
occur, these hazards will be assessed and weighed 
against the consequences and risks of not performing a 
repair. In the case of a real-time event several of these 
hazards would need to be re-assessed to ensure valid 
controls are still in place, but with the work performed 
prior to STS-114 and STS-121 the controls are already 
identified and therefore much easier to validate. In 
addition, this work assisted in determining what training 
the EVA crew would need to be prepared to perform a 
contingency EVA TPS repair. 
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